Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Christian Mainka <Christian.Mainka@rub.de> Mon, 10 May 2021 12:43 UTC

Return-Path: <Christian.Mainka@rub.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09D433A1B9D for <oauth@ietfa.amsl.com>; Mon, 10 May 2021 05:43:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ewgdVmuZcM3 for <oauth@ietfa.amsl.com>; Mon, 10 May 2021 05:43:22 -0700 (PDT)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2ae5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8606B3A1B71 for <oauth@ietf.org>; Mon, 10 May 2021 05:43:22 -0700 (PDT)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4Ff11Z0wFrz8SRy; Mon, 10 May 2021 14:43:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1620650594; bh=m5HtWIethrfBgD46oLKGkm35XM9ke24//dtDn+9k4i4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=flVoTwaLWayT0G0n/WsOTlnv5msD/rI+7DQRlsNAZuOzpUyCmtZjUCJlWau+3xc2l c92XzZ+mHy2IK9AERDPbGWqepWNHkcWkJHj6pgy2afqRK1x7Q7Q4juW6UhTFzYMp1V E5xoVKm4P2IN7MK3BSifO4trI3snpC+3I0gTtcsI=
Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4Ff11Z0MVSz8SRC; Mon, 10 May 2021 14:43:14 +0200 (CEST)
X-Envelope-Sender: <Christian.Mainka@rub.de>
X-RUB-Notes: Internal origin=134.147.42.236
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [134.147.42.236]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4Ff11Y3GbQz8SPs; Mon, 10 May 2021 14:43:13 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.1 at mx2.mail.ruhr-uni-bochum.de
Received: from [192.168.93.128] (port-92-201-231-26.dynamic.as20676.net [92.201.231.26]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4Ff11Y0hk1zDgyq; Mon, 10 May 2021 14:43:12 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.0 at mail2.mail.ruhr-uni-bochum.de
To: rifaat.s.ietf@gmail.com, karsten.meyerzuselhausen@hackmanit.de
Cc: oauth@ietf.org
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de> <CADNypP_P=bdtSHmX0aM4eK4yw+8n9HYnnS6ERVdOC_x7U3spZw@mail.gmail.com>
From: Christian Mainka <Christian.Mainka@rub.de>
Message-ID: <6096c803-ed87-e14d-83ee-32e8d2da76c5@rub.de>
Date: Mon, 10 May 2021 14:43:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <CADNypP_P=bdtSHmX0aM4eK4yw+8n9HYnnS6ERVdOC_x7U3spZw@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="37pks8fqvwJRyfbvfiPkztv4yWdgRYi6h"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/j1zABw0_P7BFladOTo4KmweL_gU>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 12:43:38 -0000

Hi,

I read the document, have no concerns, and support it.

Christian

On 01.05.21 22:46, Rifaat Shekh-Yusef wrote:
> All,
> 
> We have not seen any comments on this document.
> Can you please review the document and provide feedback, or indicate that
> you have reviewed the document and have no concerns.
> 
> Regards,
>   Rifaat & Hannes
> 
> 
> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
> karsten.meyerzuselhausen@hackmanit.de> wrote:
> 
>> Hi all,
>>
>> the latest version of the security BCP references
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>
>> There have not been any concerns with the first WG draft version so far:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>
>> I would like to ask the WG if there are any comments on or concerns with
>> the current draft version.
>>
>> Otherwise I hope we can move forward with the next steps and hopefully
>> finish the draft before/with the security BCP.
>>
>> Best regards,
>> Karsten
>>
>> --
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:	+49 (0)234 / 54456499
>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 

-- 
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr University Bochum, Germany

Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany

Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
https://nds.rub.de/chair/people/cmainka/
@CheariX